Although you could add these annotations to a web service they do not work as expected in Glassfish v3. I haven’t tested it with any other application server.
- If the URL of web service is not protected in web.xml, @RolesAllowed does not work.
- If the URL is protected in web.xml, @PermitAll does not work. You have to provide a valid principal.
So you have to specify protection level of every URL in web.xml. If you adjust all URLs in web.xml, what is the point of using these annotations?
It seams that these annotations are not well integrated with web services. They are designed just for EJBs.